AI Sec Watch

Amazon Q, an AI coding assistant for VS Code, had a high-severity vulnerability (CVE-2026-12957) that let attackers execute arbitrary code and steal cloud credentials just by having a developer open a malicious repository. The problem was that Amazon Q automatically loaded and ran MCP server configurations (local processes that extend an AI assistant's capabilities) from workspace files without asking the user for permission or checking if the folder was trusted. Since these processes inherited the developer's full environment, attackers could access sensitive credentials like AWS keys and API tokens.

AI agents are autonomous programs that can reason, make decisions, and access multiple systems within enterprises, but the identity governance systems (IAM, or identity and access management, which controls who can access what) were designed for humans and fixed service accounts, not for dynamic autonomous actors. The core problem is that agents inherit all the permissions of the human or service identity they operate on behalf of and can access resources across many systems in a single session without traditional checkpoints, creating a governance gap that existing tools cannot see or control.

OpenAI is previewing GPT-5.6, a new series of AI models including Sol (most powerful), Terra (balanced and cheaper), and Luna (fastest and most affordable). The models include enhanced safety protections against misuse and harmful activities, with Sol featuring improved capabilities in coding, biology, and cybersecurity tasks.

The US has proposed the AI Incident Reporting Act, which would require developers of advanced AI models to report major safety and security incidents to the Commerce Department within seven days of discovering them. The law would cover incidents like attempts to evade human oversight, theft of model weights (the internal parameters that make an AI work), and capabilities that could enable cyberattacks or weapons development, with the Commerce Department required to notify Congress within 48 hours for imminent threats.

MCP (model context protocol, a standard for connecting AI agents to business tools) is transitioning to an enterprise version on July 28, 2026, with a 12-month deprecation window for older versions. While the new stateless design removes some vulnerabilities like session hijacking, it introduces new security risks including predictable tracking identifiers that could enable workflow hijacking, HTTP header leaks of sensitive data like API keys, cross-site scripting (XSS, where attackers inject malicious code into web pages) attacks via MCP Apps, and denial-of-service (DoS, overwhelming a system to make it unavailable) risks from long-running tasks.

The GDPR (General Data Protection Regulation, a European law protecting personal data) has successfully increased data protection awareness and compliance among companies over its first 10 years, with enforcement fines exceeding €6 billion. However, businesses increasingly view GDPR as burdensome and complicated, particularly for AI development, with 69% of companies in 2025 reporting that data protection regulations make it difficult to train AI models with sufficient data.

Anthropic is testing mobile support for Claude Cowork, an agentic mode (where Claude can autonomously complete tasks) that lets users manage long-running tasks like document creation and file analysis from their phone. The mobile version would act as a remote control for Cowork running on a desktop computer, allowing users to start tasks, monitor progress, and continue work in the background even when the app is closed.

picklescan (a tool that checks if pickle files, which are Python's serialization format, are safe) through version 0.0.26 fails to detect malicious pickle files that use a hidden code-execution technique through idlelib.pyshell.ModifiedInterpreter.runcode. Attackers can hide dangerous code in pickle files that runs when the file is loaded, potentially compromising PyTorch models and other saved Python objects in supply chain attacks (attacks that compromise software as it's being distributed).

The Trump administration asked OpenAI to delay the full release of GPT-5.6 (a large language model, which is an AI system trained on vast amounts of text) over security concerns. Instead of a public release, OpenAI will first offer the model in limited preview form to only a small group of business customers, with the federal government approving each customer's access individually.